News AMD 'Zenbleed' Bug Allows Data Theft From Zen 2 Processors, Patches Released

[Admin]

A security researcher revealed a new Zenbleed vulnerability that allows the stealing of sensitive data from AMD's Zen 2 processors.

AMD 'Zenbleed' Bug Allows Data Theft From Zen 2 Processors, Patches Released : Read more

 

[JamesJones44]

It's kind of a bummer that we've entered an age of a processor's ability to operate at peak performance is limited to a time window. Hopefully they can come up with a way to mitigate/patch these at the hardware level at some point in future designs.

 

[rluker5]

Aren't consoles zen2?
Hope this gets fixed faster than the similar SQUIP vulnerability.

 

[deksman]

It's kind of a bummer that we've entered an age of a processor's ability to operate at peak performance is limited to a time window. Hopefully they can come up with a way to mitigate/patch these at the hardware level at some point in future designs.

That depends what each company classifies as 'peak performance' and how they modify their chips to behave.
This will of course depend on the voltage, core temps, etc... however, one can always reduce the frequencies a bit and lose about 5% performance if it means the processor can operate at its peak 24/7.

Usually, CPU's can be modified to hit a given frequency for a small window before throttling back... but in fairness, this usually happens on laptops which have tighter thermal constraints vs desktops.

 

[hotaru.hino]

It's kind of a bummer that we've entered an age of a processor's ability to operate at peak performance is limited to a time window. Hopefully they can come up with a way to mitigate/patch these at the hardware level at some point in future designs.

Unless we develop CPUs out of FPGAs, you can't really patch hardware. Once it's etched in the silicon, that's it.

A lot of the problems simply stem from design oversights. That or they were aware of the problem, but considered the feasibility of it to be exploited too impractical for the performance benefit. At the end of the day though, you have to move a slider between security and performance, because the two are mutually exclusive.

 

[YouFilthyHippo]

Im still on a 2 year old BIOS. Im not upgrading. Ya, my PC is vulnerable, to who? The random guy that's going to pick me out of a billion people and somehow know that I have a Zen 2 chip. Ya, these vulnerabilities exist, but in practice they are completely irrelevant, unless your a big datacenter/big company with sensetive data. A home PC gamer shouldn't be worried

 

[jeremyj_83]

Im still on a 2 year old BIOS. Im not upgrading. Ya, my PC is vulnerable, to who? The random guy that's going to pick me out of a billion people and somehow know that I have a Zen 2 chip. Ya, these vulnerabilities exist, but in practice they are completely irrelevant, unless your a big datacenter/big company with sensetive data. A home PC gamer shouldn't be worried

Most of these security vulnerabilities aren't a big deal for home users. However, they are a big deal for corporate desktops and especially servers.

 

[RedBear87]

I bet you he is sponsored by Intel and Ngreedia.

Sure and all those security vulnerabilities affecting various Intel CPUs in the past were discovered by AyyMD sponsored researchers... it's much more likely that now that AMD has become relevant again, guess what, people spend time trying to find and warn about securities affecting their CPUs...

 

[hotaru.hino]

It is (or should be) known that Paul Acorn is a known Intel fan. His best CPU's articles are a joke with comments turned off so no one can dispute him.

Or it's because any time there's a X vs Y thread, it devolves into an uncivilized poopshow.

 

[King_V]

Hold up a second...

AMD Ryzen 5000 Series Processors with Radeon Graphics

These are Zen 2?

 

[hotaru.hino]

Hold up a second...


These are Zen 2?

These laptop APUs were Zen 2 based:

• Ryzen 7 5700U
• Ryzen 5 5500U
• Ryzen 3 5300U

 

[Releximas]

I didn't see my home gaming system's Ryzen 7 5800X3D listed.... Zen 3?

 

[drea.drechsler]

Im still on a 2 year old BIOS. Im not upgrading. Ya, my PC is vulnerable, to who? The random guy that's going to pick me out of a billion people and somehow know that I have a Zen 2 chip. Ya, these vulnerabilities exist, but in practice they are completely irrelevant, unless your a big datacenter/big company with sensetive data. A home PC gamer shouldn't be worried

I've been pretty much the same way with prior processor-based vulnerabilities. But this seems a bit different as it doesn't require physical access to the computer and can even be exploited by a java script in a browser. I'm not a coder but I do think it's elementary to write a script to test for processor before trying to plant a payload. The worst I can think of are one of the hi-jacking ones that make you pay a ransom to get your computer and data back. If you've absolutely nothing important on it that's no big deal but some of us do keep records, photos and videos. Backups are a pain to recover even if kept current...and how many do.

I think we can expect these exploits to start pretty soon now. A billion click-baits, a million who click it, a hundred thousand it actually plants, a hundred who're desparate enough to actually credit money to the numbered bit-coin wallet even if it doesn't work.

Separately: the update says we can expect AGESA updates for desktop systems in the november-december timeframe. That's a long time! I wonder if this suggests it will be mitigated in a Windows security update first? I've read it's already mitigated in Linux kernel.

 

[drea.drechsler]

I didn't see my home gaming system's Ryzen 7 5800X3D listed.... Zen 3?

It only affects Zen 2 so Zen 3 isn't affected that we know of.

 

[ThisIsMe]

Im still on a 2 year old BIOS. Im not upgrading. Ya, my PC is vulnerable, to who? The random guy that's going to pick me out of a billion people and somehow know that I have a Zen 2 chip. Ya, these vulnerabilities exist, but in practice they are completely irrelevant, unless your a big datacenter/big company with sensetive data. A home PC gamer shouldn't be worried

Did you read the article? This isn’t one of those unlikely to be implemented side channel attacks that require targeted methods. It does not require local access or your permission to execute.

From the article:
“allowing the theft of protected information from the CPU, such as encryption keys and user logins. The attack does not require physical access to the computer or server and can even be executed via javascript on a webpage.”
“This attack works across all software running on the processor, including virtual machines, sandboxes, containers, and processes. The ability for this attack to read data across virtual machines is particularly threatening for cloud service providers and those who use cloud instances.”

 

[bit_user]

This works because the register file is shared by everything on the same physical core. In fact, two hyperthreads even share the same physical register file," says Ormandy.

Okay, so either disable SMT or just limit it to threads within the same process. Problem solved, right? ...just like most of the other side-channel attacks we've been hearing about.

The only catch is, if you pick option #2, that your web browser would have to sandbox each tab and cross-site script in a separate process. Maybe they already do this?

 

[bit_user]

Unless we develop CPUs out of FPGAs, you can't really patch hardware. Once it's etched in the silicon, that's it.

I believe the point of micro code is that they can alter which micro-ops an instruction decodes to. So, you could potentially devise a microcode-level fix if you can tweak the microcode for AVX instructions to avoid that "XMM Register Merge Optimization2" or somehow prevent VZEROUPPER from getting mispredicted.

You might also be able to mitigate at the OS level, by trapping certain instructions and emulating their functionality. This could be extremely taxing on performance, however.

Another way to mitigate this particular bug is not to use AVX-accelerated string functions, which can be done by simply updating libc. The performance difference will be negligible.

 

[bit_user]

Im still on a 2 year old BIOS. Im not upgrading. Ya, my PC is vulnerable, to who? The random guy that's going to pick me out of a billion people and somehow know that I have a Zen 2 chip.

A hostile ad running in a web browser, while you log into your bank account (or other sensitive accounts) could steal your password. If that bothers you, then you might want to disable SMT or use a different PC for your financial activities or anything else you deem sensitive.

Ya, these vulnerabilities exist, but in practice they are completely irrelevant, unless your a big datacenter/big company with sensetive data. A home PC gamer shouldn't be worried

That's what we used to think, but you know ransomware can hit everyday users too, right? And people's banking details are bought and sold on the dark web, en masse.

 

[bit_user]

I bet you he is sponsored by Intel and Ngreedia.

It says right in the first sentence of the article that the researcher works for Google Information Security.

It is (or should be) known that Paul Acorn is a known Intel fan.

I've been reading his articles for like 10 years and didn't get that sense. Do you think he's fabricating this vulnerability? If you just read the quote from the CVE, you can see it's quite serious.

His best CPU's articles are a joke with comments turned off so no one can dispute him.

I've noticed certain article types have a problem with comments. It seems mostly the "live blog" -style articles.

However, what I think you're referring to is that they periodically update certain articles and at some point a mod might lock the comments because of either trolls or spammers. If they're on the ball, they re-open the comments when an article gets updated, but they often don't. The way you can tell if this happened is by looking at the date of the first comments and you'll typically see they're years old.

I posted the following in a video card thread, because again, God forbid anyone be allowed to disagree with Paul Alcorn with his closed threads.

I think the whole concept of points-based AMD vs. Intel articles is flawed. The only things I want to know are the benchmarks and other data about heat, power, cooling requirements, etc.

 

[bit_user]

I've been pretty much the same way with prior processor-based vulnerabilities. But this seems a bit different as it doesn't require physical access to the computer and can even be exploited by a java script in a browser.

The "reproducible in Javascript" aspect isn't new or unique to this exploit. You can find other side-channel attacks which are, as well. The main difference seems to be how easy and prolific this one sounds, compared with the ones based on timing.

However, I think the Javascript-based method is probably one of the easier attack vectors to mitigate. If AMD can give the JIT developers enough information about the problematic instruction sequences, they can hopefully just tweak their engine to avoid generating them.

I think we can expect these exploits to start pretty soon now. A billion click-baits,

It's not just click-baits, but also potentially infected ads or cross-site scripts used by website authors.

Separately: the update says we can expect AGESA updates for desktop systems in the november-december timeframe. That's a long time! I wonder if this suggests it will be mitigated in a Windows security update first? I've read it's already mitigated in Linux kernel.

There are likely software mitigations that can fill the gap until updated microcode is available.

I have to wonder why there's such a lag between the fixes for Zen 2 server CPUs and client CPUs, when they're actually the same cores in both cases! I mean, that's central to AMD's chiplet strategy, right?

 

[neojack]

that's... very bad

the previous vlnerabilities needed physical access, but not this one.
a vulnerability able to read data from one VM to another is a nightmare. 30kb/s per core is enough to exfiltrate passwords and who knows what.

They didn't listed the 5800X3D in the list, but's it's a 5000 series, is it vulnerable too ? asking for a friend

 

[bit_user]

the previous vlnerabilities needed physical access, but not this one.

No, that's just wrong. There've been lots of side-channel attacks which can violate both privilege and VM boundaries via remote execution. I've lost track of how many.

Now, they're not all this easy to exploit, nor this high-bandwidth. That's the main thing that sets this one apart, IMO.

 

[zx128k]

The fact that it can be done over the internet, really gets the fear level to rise. Everyone will think that is bad.

 

[greenreaper]

ey didn't listed the 5800X3D in the list, but's it's a 5000 series, is it vulnerable too ? asking for a friend

It doesn't have Radeon Graphics so it's OK.

Don't quite know why they specified it like that though, either they didn't want to draw attention to the fact that some of them were Zen 2 and some Zen 3, or it affects them anyway (maybe the relevant instructions are implemented on the IO die since they involve vector operations).

 

[bit_user]

It doesn't have Radeon Graphics so it's OK.

If you read the exploit details, it has nothing to do with graphics.

@neojack , the 5800X3D is unaffected because it has Zen 3 cores, while the bug is found in Zen 2 cores. Some of the lower-end 5000 APUs are based on Zen 2, but not all. For instance, the 5700G is an APU based on Zen 3.